{"id":"RUSTSEC-2026-0136","summary":"Command injection in Diesel's implementation of `COPY FROM`/`COPY TO`","details":"Diesel allows users to configure various options for PostgreSQL's `COPY FROM` and `COPY TO` statements. These configurations are partially provided as strings or characters. \n\nDiesel did not check if any these user-provided options contain a quote character `'`, which can lead to the injection of additional options in the current `COPY FROM`/`COPY TO` statement. \n\nThis vulnerability affects any user of `COPY FROM`/`COPY TO` that passes user-provided input to any of the affected functions. It can result in modifications of options in the current statement, but it is not possible inject additional statements.\n\n## Mitigation\n\nThe preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.\n\n## Resolution\n\nDiesel now correctly escapes any quotes contained in the provided arguments.","modified":"2026-05-13T14:32:26.418371Z","published":"2026-04-24T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/diesel"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0136.html"},{"type":"WEB","url":"https://github.com/diesel-rs/diesel/pull/5042"}],"affected":[{"package":{"name":"diesel","ecosystem":"crates.io","purl":"pkg:cargo/diesel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"2.3.8"}]}],"ecosystem_specific":{"affects":{"arch":[],"functions":["diesel::pg::CopyFromQuery::with_default","diesel::pg::CopyFromQuery::with_delimiter","diesel::pg::CopyFromQuery::with_escape","diesel::pg::CopyFromQuery::with_null","diesel::pg::CopyFromQuery::with_quote","diesel::pg::CopyToQuery::with_delimiter","diesel::pg::CopyToQuery::with_escape","diesel::pg::CopyToQuery::with_null","diesel::pg::CopyToQuery::with_quote"],"os":[]},"affected_functions":null},"database_specific":{"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0136.json","categories":["format-injection"],"cvss":null}}],"schema_version":"1.7.5"}